Is your company concerned by NIS2?

You’ve probably heard of NIS2 without being sure it applies to you. Here’s the honest answer: it probably does. And even if it doesn’t directly, your clients might force your hand anyway

Or you’re a US company and someone just forwarded you an email about NIS2 compliance. Your first instinct is to ignore it. Before you do: check whether you have European customers. If you do, this might be your problem too.

NIS2 is the EU’s updated cybersecurity directive. Its predecessor covered a few hundred critical operators across Europe. NIS2 expands that to tens of thousands of entities, across every EU member state.

Two questions to figure out if you’re in scope

NIS2 applies based on two criteria: your sector and your size.

Your sector. The directive splits companies into two buckets:

• Essential entities: energy, transport, banking, healthcare, water, digital infrastructure
• Important entities: postal services, waste management, chemicals, food, manufacturing, digital providers

Your size. You’re in scope if:

• You have more than 50 employees, OR
• Your annual revenue exceeds €10 million

Tick both boxes, sector and size, and you’re almost certainly covered.

You’re a supplier. You think you’re safe. You’re not.

This is where most SMBs get it wrong.

NIS2 doesn’t just target companies directly. It requires every in-scope company to secure its supply chain. Which means your clients, if they’re subject to NIS2, will push the obligation down to you.

Concretely:

• Your clients will ask for proof of your security posture
• Contracts can be refused or suspended if you don’t meet their requirements
• The regulatory pressure flows all the way down the chain, even to the smallest suppliers

If you work with hospitals, banks, energy companies, or public infrastructure, expect the question to land on your desk if it didn’t happened yet.

What NIS2 actually requires you to do

If you’re in scope, the directive imposes concrete obligations:

• Report security incidents to the national authority within 24 hours
• Put cybersecurity governance at board level, this isn’t something you can delegate to a junior IT person
• Run regular risk analyses, documented, not theoretical
• Secure your access controls: strong authentication, supplier management, network segmentation
• Test your business continuity and recovery plans, on paper doesn’t count

What happens if you ignore it

Fines for essential entities: up to €10 million or 2% of global revenue, whichever is higher.

For important entities: up to €7 million or 1.4% of global revenue.

But the real kicker: directors can be held personally liable. This isn’t a fine that lands on the company and disappears into overheads. It can land on you, personally.

Where to start

If you haven’t assessed your NIS2 exposure yet, the first step is a gap analysis. Not a full compliance program, just an honest picture of where you stand and what’s missing.

Most companies that do this find the situation is more manageable than they feared. The problems are specific, the fixes are prioritisable, and the path is clearer than the regulation itself suggests.

Quick self-check:

• Is my sector on the NIS2 list?
• Do I have more than 50 employees or €10M in revenue?
• Do any of my clients fall under NIS2?
• Do I have a documented incident response process?
• Is cybersecurity a board-level topic in my company?

If you answered “no” or “not sure” to any of these, now is the right time to find out.